In a chilling reminder of how digital vulnerabilities can pierce even the most guarded institutions, hackers linked to the Chinese government reportedly broke into the National Nuclear Security Administration (NNSA) — the US agency responsible for maintaining the country’s nuclear arsenal and powering naval submarines.
According to Bloomberg, the breach was part of a broader espionage campaign that exploited a zero-day vulnerability in Microsoft’s SharePoint platform. Over 50 organizations were affected, with the NNSA being one of the most high-profile victims.
The exploit came from a public hacking contest
Ironically, the flaw wasn’t even discovered in secrecy. Two bugs that made up the zero-day exploit were revealed at the Pwn2Own hacking contest in May. Microsoft failed to patch the issues swiftly, and Chinese-affiliated attackers moved in fast — leveraging the bugs to steal login credentials, access data, and pivot into connected systems.
Minimal damage, but maximum warning
While the Department of Energy insists that no classified information was stolen and that the damage was limited, the breach still raises serious concerns. Officials credit their use of Microsoft’s cloud services — which weren’t affected — for limiting the exposure. But even so, the core issue remains: a critical vulnerability in on-premise Microsoft infrastructure allowed a foreign power to infiltrate a nuclear-linked agency.
Microsoft’s response came too late
This isn’t the first time Microsoft’s delayed security patches have landed US institutions in trouble. Once again, attackers were ahead of the patch cycle. In high-stakes environments like nuclear security, that delay can mean the difference between containment and catastrophe.
The incident underscores the fragility of trust in tech vendors and the high cost of even brief lapses in cybersecurity. For a government agency overseeing some of the country’s most sensitive capabilities, it’s a wake-up call that no system — and no software — is invulnerable.
Also read: AI hackers are pretending to be Google—why switching emails won’t save you
